Adult FriendFinder Hack Exposes 400 Million Accounts

Account data for more than 400 million users of adult-themed FriendFinder Network has been exposed. The breach includes personal account data from five sites including Adult FriendFinder, Penthouse.com and Stripshow.com. FriendFinder Network did not confirm the breach and is investigating reports.

According to LeakedSource, which obtained the data and reported the breach Sunday, a total of 412 million accounts are impacted. LeakedSource reports that the hack occurred in the October 2016 timeframe and was not related to a similar breach at that time by hacker Revolver.

In a statement issued to Threatpost, FriendFinder Network said: “Our investigation is ongoing but we will continue to ensure all potential and substantiated reports of vulnerabilities are reviewed and if validated, remediated as quickly as possible.”

According to the statement, the company has received a number of reports of “potential” security vulnerabilities from a “variety of sources” over the past several weeks. It says it has hired external resources to support its investigation.

According to a news report by ZDNet, this most recent breach was conducted by an “underground Russian hacking site” that took advantage of a local file inclusion flaw first revealed by Revolver in October.

A local file inclusion vulnerability can allow a hacker to add local files to web servers via script and execute code. Hackers can take advantage of a LFI vulnerability when sites allow user-supplied input without proper validation, something Adult FriendFinder is guilty of, according to an October interview by Threatpost with Revolver, who also goes by the handle 1×0123.

In the case of the FriendFinder Network, Dale Meredith, ethical hacking expert and author at Pluralsight, hackers implemented a LFI allowing them to move folder structures on targeted servers in what is called a directory transversal. “This means they can issue commands to a system that would allow the attacker to move around and download any file on this computer,” he said.

LeakedSource bills itself as independent researchers who run a site that acts as a repository for breached data. The website sells one-time or paid subscriptions to such breached data. In May, LeakedSource faced a cease and desist order by LinkedIn for offering a paid subscription to access to 117 million breached LinkedIn user logins. LeakedSource did not return requests for comment for this story.

According to a blog post by LeakedSource, the FriendFinder Network data included 20 years of customer data. The breach includes data tied to 340 million AdultFriendFinder.com accounts, 62 million accounts from Cams.com, 7 million from Penthouse.com and 15 million “deleted” accounts that were not purged from the databases. Also impacted was a site called iCams.com and account data for 1 million users.

“We have decided that this data set will not be searchable by the general public on our main page temporarily for the time being,” according to the blog post on LeakedSource’s website.

According to several independent reviews of the breached data supplied by LeakedSource, the datasets included usernames, passwords, email addresses and dates of last visits. According to LeakedSource, passwords were stored as plaintext or protected using the weak cryptographic standard SHA-1 hash function. LeakedSource claims it has cracked 99 percent of the 412 million passwords.

This most recent breach follows an unconfirmed breach in October where hacker Revolver who claimed to have compromised “millions” of Adult FriendFinder accounts when he leveraged a local file inclusion vulnerability used to access the site’s backend servers. In 2015, more than 3.5 million Adult FriendFinder customers had intimate details of their profiles exposed. At the time, hackers put user records up for sale on the Dark Web for 70 Bitcoin, or $16,000 at the time. According to third-party reviews of this most recent FriendFinder Network breach, no sexual preference data was contained in the breached data.

In 2012, the website MilitarySingles.com fell victim to a similar local file inclusion vulnerability. The social network said, at the time, the vulnerability was tied to user generated content uploaded to the site. “Allowing the upload of user-generated content to the Web site can be extremely dangerous as the server which is usually considered by other users and the application itself as ‘trusted’ now hosts content that can be generated by a malicious source,” MilitarySingles.com said in a statement at the time of the intrusion.